Secure and Efficient LBIST for Feedback Shift

Register-Based Cryptographic Systems

1
Mr. D.PRAVEEN, 2Miss.T.BHAVANI, 3Mr.DEVIREDDY VENKATARAMI REDDY
1
PG Scholar, ECE, Madhira Institute of Technology & science, Chilkur, Nalgonda, India
2
Assistant Professor in ECE, Madhira Institute of Technology & science, Chilkur, Nalgonda, India
3
Assistant Professor in ECE, Madhira Institute of Technology & science, Chilkur, Nalgonda, India
1
dvenkataramireddy@gmail.com, 2praveen.dirisanapu@gmail.com

Abstract: Cryptographic methods are used to protect condential information against unauthorized modication
or disclosure. Cryptographic algorithms providing high assurance exist, e.g. AES. However, many open problems
related to assuring security of a hardware implementation of a cryptographic algorithm remain. Security of a
hardware implementation can be compromised by a random fault or a deliberate attack. The Traditional testing
methods are good at detecting random faults, but they do not provide adequate protection against malicious
alterations of a circuit known as hardware Trojans. For example, a recent attack on Intels Ivy Bridge processor
demonstrated that the traditional Logic Built-In Self-Test (LBIST) may fail even the simple case of stuck-at fault
type of Trojans. In this paper, we present a novel LBIST method for Feedback Shift Register (FSR)-based
cryptographic systems which can detect such Trojans. The specic properties of FSR-based cryptographic systems
allow us to reach 100% single stuck-at fault coverage with a small set of deterministic tests. The test execution
time of the proposed method is at least two orders of magnitude shorter than the one of the pseudo-random
pattern-based LBIST. Our results enable an efficient protection of FSR-based cryptographic systems from random
and malicious stuck-at faults.

hardware Trojans1. This is not only due to the fact that

I. INTRODUCTION a

Feedback Shift Register (FSR) based cryptographic

sys-tems are the fastest and the most power-efficient
cryptographic systems for hardware applications [1].
The speed and the power are two crucial factors for
future cryptographic systems, since they are expected to
support very high data rates in 5G ultra-low power
products and applications.
A hardware fault can compromise the security of a
cryp-tographic system. For example, suppose that the
output of a pseudo-random pattern generator used in a
stream cipher is stuck to the logic 0. A stream cipher
encrypts a message by combining it with a pseudo-
random pattern, typically by a bit-wise addition modulo
2. Therefore, if the pseudo-random pattern is all-0, the
message is sent unencrypted.
To make possible periodic fault detection in
functional circuits during their lifetime, cryptographic
systems often employ Logic Built-In Self-Test (LBIST).
However, as shown by a recent attack on Intels
cryptographically secure Random Number Generator
(RNG) used in the Ivy Bridge proces-sors [2],
traditional LBIST techniques have a limited use against
malicious alterations of the original circuit known as
The attack on Intels RNG [2] was done by modifying
the dopant masks to shorten the outputs of selected
gates to GND or to VDD.
Trojan can be inserted into the LBIST itself, but also
because the Trojan can be designed not to trigger the
LBIST, since LBIST usually detects only a subset of
all possible faults.
In this paper, we present a new method for LBIST
which makes possible detecting stuck-at fault type of
Trojans. The presented method specifically targets
FSR-based cryptographic systems. First, we use a
deterministic test set which covers 100% of single
stuck-at faults in the circuit under test, Test Pattern
Generator (TPG) and Test Response Analyser (TRA).
Second, we do not compact output responses into a
Multiple Input Signature Register (MISR) signature.
So, an attack based on selecting suitable values for the
Trojan which generate the correct MISR signature for
the inputs provided during the LBIST becomes
impossible in our case. Furthermore, Trojans inserted
into the LBIST circuitry itself (TPG and TRA) will be
detected.
 The presented method is similar to the traditional
scan design in that is provides a simple way of setting
and observing each flip-flop in a circuit. However,
unlike in the case of scan, we do not connect flip-flops
in scan chains. Instead, to support a test mode, we
multiplex the input of cells which serve as state
variables for the feedback functions and put a switch at
the output of cells which correspond to outputs to non-
trivial feedback functions. This allows for loading and
unloading of flip-flops contents during the test mode.
The size and the number of Boolean functions used in
cryptographic systems are typically considerably
smaller than the size of an FSR. Therefore, the
presented approach has small area overhead.
Furthermore, our technique does not affect the
propagation delay of the original circuit. In the
traditional scan, the propagation delay is always
increased by the delay of a multiplexer.
Boolean functions used in cryptographic systems are
com-
monly represented in Algebraic Normal Form (ANF)
[3]. It was shown by Reddy [4] that a combinational
logic circuit implementing an n-variable Boolean
function represented in ANF can be tested for all single
stuck-at faults using at most 3n + 4 tests. We use
Reddys result as a base to derive a minimal complete
test set for single stuck-at faults for combinational logic
circuits implementing feedback functions of an FSR.
The specific properties FSR-based cryptographic
systems allow us to reach 100% single stuck-at fault
A. Algebraic normal form of Boolean functions
An n-variable Boolean function f (x 1, ... , xn) is a
mapping of type f : {0, 1}n {0, 1}.
The dependence set [5] of a Boolean function f is
defined
by
dep( f ) = {i | f |xi=0 6= f |xi=1},
where f |xi= j = f (x0, ... , xi1, j, xi+1, ... , xn1) for j {0,
1}.
Any n-variable Boolean function has a unique
Algebraic Normal Form (ANF) [3] (also called
Reed-Muller canonical form [7]) which is a
representation of type:
2n1 i i
f (x1, ... , xn) = ci x11 x22 ... xnin , (1
i=0
where ci {0, 1} are constants, stands for the
Boolean AND and stands for the Boolean XOR.
The vector (i1i2 ... in) is the binary expansion of i
with i1 being the least
significant digit, and the term xijj denotes the i jth
power of the variable x j, j {1, ... , n}.
ANF is a common representation for Boolean
functions used in cryptographic systems [3]. To be
hardware efficient, cryptographic systems typically
use ANF of a small size. For example, consider the
stream cipher Trivium [8]. It is defined by a 287-bit
Feedback Shift Register (FSR) in which all but 3 out
of 287 of functions are trivial functions of type f i =
xi+1. The remaining 3 functions are:
f
287 = x0 x1x2 x45 x219

coverage with a test set of size at most (k + 2) (k + 3) f

194 = x
195 x196x197 x
117 x222
bits, where k + 1 is largest number of variables on

which any feedback function of the FSR depends. The
expected output responses can be stored using at most 110f
111 x112x113 x24 x126
= x

(k + 3) m bits, where m is the where is the Boolean XOR.

x x The primary output of Trivium is computed by
1 2
adding the values from cells 110, 194 and 287: fout
x x put = f287 f194 f110.
45 219 INPUTS
x f INPUTS FROM INPUTS FROM FROM
0 + + + 287
OTHER VARIABLES OTHER VARIABLES
OTHER
VARIABLES
IN DEP(fn-1) IN DEP(fn-2) IN DEP(f0)
Fig. 1: The logic circuit implementing ANF of the
feedback function f287 of Trivium. f f
n-1 n-1 n-2 n-2 f0 0
number of non-trivial feedback functions of the FSR.
CLOCK
The paper is organized as follows. Section II
summarises basic notations used in the sequel. Section Fig. 2: The general structure of an n-bit FSR.
III describes the presented method. Section IV gives
details of procedures used for fault detection. In
Section V, the presented method is demonstrated on
the example of Trivium stream cipher. Section VI We can see that functions f 287, f194 and f110 use only 15
concludes the paper and discusses open problems. out of 287 possible state variables in their ANFs in
total.
II. PRELIMINARIES
We use the standard notation from the areas of As another example, consider the 128-bit FSR
testing and logic synthesis. For a more detailed used in the stream cipher Grain-128 [9]. All its
description, the reader is referred to [5] and [6]. feedback functions except
 + is modulo n. If gi = 0, fi is called trivial. The
the function f127 are of type fi = xi+1. The function f127 is variable xi+1 of fi is called the free variable.
given by:
A cell with index i such that i dep( f j) for some
f
127 = x0 x26 x56 x91 x96 x3x67 non-trivial function f j, i, j {0, 1, ... , n 1}, is
x
11x13 x17x18 x27x59 called an control-lable cell.
x
40x48 x61x65 x68x84
This function uses 19 out of 128 possible state A cell with index j such that f j is non-trivial, j
variables. {0, 1, ... , n 1}, is called an observable cell.

From the examples above, the reader may see that
none of ANFs uses the same variable twice.
Furthermore, the same variable does not occur in more
than one ANF. In addition, the same index is not used as
both input and output, i.e. if f i is non-trivial, then the
state variable xi is not used. These typical features of
ANFs used in cryptographic systems follow from the
requirements for the cryptographic security of Boolean
functions [3].
Any n-variable Boolean function represented in
ANF can be implemented by a logic circuit consisting
of a linear cascade of two-input XOR gates fed by AND
gates, one corresponding to each product-term of the
expression (1) with a non-zero
constant ci, i {1, ... , 2n 1}. For example, the
function f287 of Trivium can be implemented by a circuit
shown in Fig. 1.
B. Feedback Shift Registers
An n-bit Feedback Shift Register (FSR) [10]
consists of n binary storage elements, called cells or
stages (see Fig. 2). Each cell i {0, 1, ... , n 1} has an
associated state variable xi {0, 1} which represents
the current value of the cell i and an feedback function fi
: {0, 1}n {0, 1} of type
fi(x0, x1, ... , xn1) = xi+1 gi(x0, x1, ... , xn1)
which determines how the value of i is updated, where
A cell with with is neither controllable cell, nor
observable cell, is called an internal cell.
The state of an FSR is a binary vector of values of
its state variables (x 0, x1, ... , xn1). At every clock
cycle, the next state
The traditional LBIST typically employs a Linear
FSR (LFSR) to generate pseudo-random test patterns
that are ap-plied to the circuit under test and a
Multiple Input Signature Register (MISR) for
obtaining the compacted response of the circuit to
these test patterns [11]. An incorrect MISR output
indicates a fault in the circuit. Various techniques can
be used to complement pseudo-random test patterns
[12], [13].
A problem with the traditional LBIST is that many
pseudo-random patterns (several thousands or more)
need to be applied to reach a satisfactory fault
coverage. This implies that test execution time can be
too long for some applications [14].
When the test mode is selected, the flip-flops with
multi-plexed inputs become inputs to the
combinational logic. The flip-flops which have a
switch on the output become outputs of the
combinational logic. As in a scan design, this increases
controllability and observability, making possible
testing a sequential circuit with tests for combinational
logic.

FEEDBACK SHIFT REGISTER

TO FROM/TO INPUT
CONTROLLABLE OBSERVABLE OUTPUT
CELL
CELLS S

TEST PATTERN TEST TEST RESPONSE

CLOCK
CONTROL
GENERATOR TEST_IN TEST_OUT ANALYSER (A) Original flip-
ENABLE ENABLE flop
CLOCK
 TEST
OUTPUT
FUNCTIONA TEST_OUT
L
INPUT ENABLE
0 OUTPUT INPUT
TEST
1 FUNCTIONA
INPUT L
TEST_I OUTPUT
N
ENABL
E
CLOCK CLOCK
(B) Flip-flop with (C) Flip-flop with a switch on
multiplexed inputs the output
con-nected to the Test Response Analyser
TEST PASSED/ (TRA) through a switch 2.
NOT
MODE PASSED

Fig. 3: A block diagram illustrating the presented .

method.
When the test mode is selected, the flip-flops with multi-
plexed inputs become inputs to the combinational logic.
The flip-flops which have a switch on the output become
is determined from the current state by updating the outputs of the combinational logic. As in a scan design,
values of all cells simultaneously to the values of the this increases controllability and observability, making
possible testing a sequential circuit with tests for
corresponding feedback functions.
combinational logic.

Note that such a technique does not affect the

Fig. 4: Modifications of FSR flip-flops to support test propagation delay of the original circuit. In the
mode. traditional scan, the propagation delay is always
increased by the delay of a MUX. We add MUXes only
C. Logic Built-In Self Test to the controllable cells, whose feedback functions are
trivial. Therefore, the propagation delay is still
The traditional LBIST typically employs a Linear determined by the observable cells, whose feedback
FSR (LFSR) to generate pseudo-random test patterns functions are non-trivial.
that are ap-plied to the circuit under test and a Multiple
Input Signature Register (MISR) for obtaining the The following signals are added to the FSR to
compacted response of the circuit to these test patterns control and observe its cells:
[11]. An incorrect MISR output indicates a fault in the
circuit. Various techniques can be used to complement 1) Test in enable signal controls the application of
pseudo-random test patterns [12], [13]. test vectors. When it is asserted, controllable
cells are connected to the TPG and TPG is
A problem with the traditional LBIST is that many connected to the clock. Otherwise, controllable
pseudo-random patterns (several thousands or more) cells are connected to their predecessor cells
need to be applied to reach a satisfactory fault coverage. and TPG is not connected to the clock.
This implies that test execution time can be too long for
some applications [14]. 2) Test out enable signal controls output response
anal-ysis. When it is asserted, observable cells
III. THE PRESENTED are con-nected to both the TRA and their
METHOD successor cells and TRA is connected to the
The method presented in this paper is similar to the clock. Otherwise, observable cells are
traditional scan design in that is provides a simple way connected to their successor cells only, and
of setting and observing each flip-flop in a circuit. TRA is not connected to the clock.
However, unlike in scan, we do not connect flip-flops in
scan chains. Instead, to support the test mode, we
modify the original FSR as follows (see Fig. 3): The comparison of expected and computed responses
can be done using TRA shown in Fig. 5. For each
1) We multiplex the input of each controllable cell observable cell i, the value at the test output is compared
as shown in Fig. 4(b). The input of the original to the expected value of fi using an XOR gate. The
flip-flop becomes the functional input of the
outputs of all XORs are fed into an OR gate the output
multiplexer (MUX). The test input of MUX is
connected to the Test Pattern Generator (TPG). of which indicates the presence/absence of a fault.
2) We duplicate the output of each observable cell
as shown in Fig. 4(c). The duplicated output is
 The TPG generates a test set T = T1 T2 of size (k
IV. FAULT DETECTION 3)(k 2) bits which is constructed as follows. The
set T1 consists of three tests listed in the table below.
In this section, we show that it is possible to detect
all single stuck-at faults in an FSR whose feedback
functions are represented in ANF using a test set of size
(k + 2) (k + 3) bits, where k is size of the largest output response the same for the cases of ANF with and
dep(gi), i {0, 1, ... , n 1}. We target cryptographic even and odd number of product-terms.
systems, therefore we assume that the feedback Test set T2
functions satisfy the following two properties: Outputs of TPG Expected output responses for
0E 0D 1 2 ... k |dep( fi)| j |dep( fi)| < j
t4 0 1 0 1 ... 1 0 1
1) If xi dep(g j), then xi 6dep(gk), for any i, j,t5k 0 1 1 0 ... 1 0 1
{0, 1, ... , n 1}, j 6= k. This means that the ...
same ... ...
variable does not occur more than once in t
k+3 0 1 1 1 ... 0 0 1
ANFs of non-trivial functions.
For arbitrary Boolean functions, it is also necessary
to detect faults on the inputs of the logic circuit
2) If gi 6= 0, then xi 6dep(g j), for any i, j {0,implementing ANF by sensitizing an odd number of
1, ... , n 1}, i 6= j. This means that, the same
paths from each input through the AND gates to the
cell is not used as both input an output of non-
output of the circuit. Since XOR gates are modulo 2
trivial functions.
adders, an even number of changes at the input of an
XOR cascade cancel out and do not cause a change on
the output. However, since we made an assumption that
no variable occurs more than once in ANFs of non-
FROM OBSERVABLE CELLS
0 1 M-1 trivial functions, in our case only one path is sensitized
by a change at some input. Therefore, no additional tests
TEST RESPONSE ANALYSER
are required for fault detection on inputs.
EXPECTE
EXPECTED D EXPECTED
OUTPUT 0 + OUTPUT 1 + OUTPUT M-1 To summarise, the set T = T1 T2 of k + 3 tests
CLOCK
detects all single stuck-at faults in the combinational
TEST_OUT
logic implementing all non-trivial feedback functions of
ENABLE an FSR. It also detect all single stuck-at faults:

PASSED IF 0,
NOT PASSED IF 1 Test set T1
Fig. 5: The structure of the TRA. Outputs of TPG Expected
0E 0D 1 2 ... k output responses
A. Detecting faults in the combinational logic t1 0 0 0 0 ... 0 0
Suppose that each non-trivial function fi, i {0, 1, ...
t
2 0 1 1 1 ... 1 1
, n 1}, is implemented by a logic circuit consisting of a t3 1 0 1 1 ... 1 0
linear cascade of two-input XOR gates fed by AND
gates, one corresponding to each product-term of the
ANF with a non-zero constant c i, i {1, ... , 2n 1}. LetT1 detects all single stuck-at faults at the inputs and
the size of the largest dependence set of functions f i be k
outputs of all XOR gates because it applies both 0 and 1
+ 1. For example, for Trivium, the size of the largest
dependence set is 5. For Grain-128, the size of the to every input and output of each XOR gate and an XOR
largest dependence set is 19. cascades always propagates any change to its outputs.
Either of 2nd and 3rd tests also detects all stuck-at-0
The TPG has k + 2 outputs 0E, 0D, 1, 2, ... , k which
faults at the inputs of all AND gates, since its set all
are connected to the test inputs of controllable cells of
inputs of all AND gates to 1s.
the FSR as follows. For all gi 6= 0, i {0, 1, ... , n 1}:
1) If the number of product-terms in the ANF of f i
is even, the output 0E of the TPG is connected The set T2, consists of k tests listed in the table
to the below. The test ti+3, i {1, 2, ... , k}, sets ith output of
cell i + 1. Otherwise, the output 0D of the TPG
is connected to the cell i + 1, where + is the TPG to 0 and all other outputs j {1, 2, ... , k}, j 6=
modulo n. i, to 1. T2 detects all single stuck-at-1 faults on the inputs
2) If |dep(gi)| j, then the output j of the TPG is of all AND gates. In general, the values set to 0E and 0D
connected to the cell corresponding to the jthdo not matter for the detection of faults. We set them to
variable in dep(gi), for j {1, 2, ... , k}. 0 and 1, respectively, to make the

1) At the test input of each controllable cell.
2) At the output of each controllable cell.
3) At the input of each observable cell.
4) At the output of each observable cell which is
con-nected to the TRA.
The detection of faults can be carried out using the
follow-ing procedure.
Procedure 1:
1) Assert the test in enable signal to connect testProcedure 2:
inputs of controllable cells controllable cells to
the TPG.
2) Apply one clock to load the test vector t i T , i
{1, 2, ... , k +3}, from the TPG to all
controllable cells in parallel.
3) Apply one clock to evaluate the non-trivial
feedback functions for the input assignment
defined by ti. The resulting output responses are
captured at the observable cells. At the same
clock cycle, the next test vector t i+1 from T is
loaded from the TPG to the controllable cells.
4) Assert the test out enable signal to connect test
outputs of observable cells to the TRA.
5) Apply one clock to upload the responses to ti
from all observable cells to the TRA in parallel.
The TRA compares the computed responses to
the expected responses. If they agree, TRA
outputs passed. Oth-erwise, it outputs not
passed. At the same clock cycle, non-trivial
feedback functions are evaluated for the input
assignment defined by ti+1. The resulting output
responses are captured at the observable cells.
The next test vector ti+2 from T is loaded from
TPG to the controllable cells.
6) Repeat the steps 2, 3 and 5 until all test vectors
from T are applied.
The Procedure 1 completes the application of all
tests from T and evaluation of all output responses in k +
5 clock cycles.
B. Detecting remaining faults in FSR
The set T does not detect stuck-at faults at internal
cells. To detect these faults, we use the tests t 1 and t2 of
the test set T1 and the Procedure 2 described below.
Let I = {i1, i2, ... , i|I|}, where i j {0, 1, ... , n 1}
for j {0, 1, ... , |I|}, be the union of dependence sets of
all non-trivial
functions:
I = {i | i dep( fi) (gi 6= 0)}.
Suppose that I is ordered as i1 > i2 > ... > i|I|. Then the
maximum distance between two controllable cells is
defined by
d = max(i j i j+1)
for all i j I, j {1, 2, ... , |I|}, where + is modulo n.
For example, for Trivium, d = 69 (between the
controllable cells 195 and 126). For Grain-128, d = 32
(between the controllable cells 0 and 96).
1) Set the test out enable signal low to disconnect
test outputs of observable cells from the TRA.
2) Assert the test in enable signal to connect test
inputs of controllable cells to the TPG.
3) Apply one clock to load the test vector t 1 T1
from the TPG into all controllable cells in
parallel.
4) Repeat d 1 times: Apply one clock to evaluate
the non-trivial feedback functions for the input
assign-ment defined by t1. The resulting output
responses are captured at the observable cells.
All internal cells capture the value of their
predecessors. At the same clock cycle, the same
test vector t1 from T is loaded again from the
TPG to the controllable cells.
5) Set the test in enable signal low to connect
functional inputs of controllable cells to their
predecessors.
6) Apply one clock to capture the value of the
predeces-sors of controllable cells into the
controllable cells.
7) Apply one clock to evaluate the non-trivial
feedback functions for the input assignment
defined by the controllable cells. The resulting
output responses are captured at the output flip-
flops.
8) Assert the test out enable signal to connect test
outputs of observable cells to the TRA.
9) Apply one clock to upload the responses from
all observable cells to the TRA in parallel. The
TRA compares the computed responses to the
expected responses. If the two responses agree,
TRA outputs passed. Otherwise, it outputs
not passed.
10) Repeat the steps 1-9 for the test vector t2 T1.
 Therefore, at step 9, the change 1/0 will be propagated
The Procedure 2 completes the application of teststo the TRA and detected.
and evaluation of all output responses in 2d + 6 clock
C. Detection of faults in the TPG
cycles.
Consider the case when a single stuck-at fault occurs
To detect stack-at-1 faults, all-0 test vector t 1 isof the output j of the TPG, j {0E, 0D, 1, ... , k}. Such a
applied from the TPG. During the step 4 of Procedure 2, fault will manifest itself as a multiple stuck-at fault at
value 0 which is computed as the observable cells as athe controllable cells connected to the output j. Since
response to t1 is shifted from the controllable cells none of the state variables occurs in more than one ANF,
through the chains of internal cells. each faulty input will affect only one fi. Therefore, the
change in values caused by the fault will not be canceled
In at most d clock cycles, all cells in the FSR are set to the
out and the fault will be detected by the Procedure 1.
0 value.
Suppose that a single stuck-at-1 fault occurs at some D. Detection of faults in the TRA
cell j which is not a controllable cell. During the step 4
TRA stores the expected responses to the tests and
of Procedure 2, in at most d 1 clock cycles the change
com-pares them to the computed responses. We have
0/1 will propagate to the predecessor of the nearest shown in the previous Section that for T the expected
2
controllable cell i after the cell j. At step 6, the change responses may differ for functions whose dependence
0/1 will shift to the cell i. At step 7, the change 0/1 will set have different sizes. In the worse case, all non-trivial
propagate to the observable cell which depends on cell i. functions may have dependence sets of different sizes.
Since we assumed that a single fault occurred in a cell Then, in order to store the expected responses, we need
which is not a controllable cell, all other inputs on which (k + 3) m bits, where m is the number of non-trivial
this observable cell depends have 0 value and cannot feedback functions.
cancel out the change. Therefore, at step 9, the change
0/1 will propagate to the TRA and will be detected. Note that the TRA circuit shown in Fig. 5 handles
not only single stuck-at faults in the FSR, but also
The detection of stuck-at-0 faults is moresingle stuck-at faults which occurs in the TRA itself,
complicated since the function values differ for ANFs except the stuck-at-0 and stuck-at-1 fault at the output
with an even and an odd number of product-terms. If the of the OR gate. To allow for detection of these faults,
ANF has an odd number of product-terms, we can set the OR gate can be duplicated.
the function to 1 by setting all its input variables to 1. If
the ANF has an even number of product-terms, we can V. EXAMPLE:TESTING
set the function fi to 1 by setting all its input variables
except xi+1 to 1. TRIVIUM
In this section, we illustrate the presented method
To be able to set different values to the controllable on the example of Trivium stream cipher.
cells xi+1 of different functions fi, we need to use two
outputs of TPG - one for functions whose ANF has an All non-trivial feedback functions of Trivium have
even number of product-terms, 0E, and the other for the dependence set of size 5 (see (2)) and an even
functions whose ANF has an odd number of product- number of product-terms. Therefore, the output 0D of
terms, 0D. the TPG is not required and the size of test vectors can
be 5 bits.
To detect stack-at-0 faults, the test vector t 2 is applied
from the TPG. During the step 4 of Procedure 2, the The TPG has 5 outputs which are connected to the
value 1 which is computed at the observable cells as a test inputs of controllable cells as follows.
response to t2 is shifted from the observable cells
through the chains of internal cells. In at most d 1 1) Output 0E is connected to 0, 195 and 111.
clock cycles, all internal cells are set to the 1 value.

Suppose that a single stuck-at-0 fault occurs at some

2) Output 1 is connected to 1, 196 and 112.
cell j which is not a controllable cell. During the step 4 3) Output 2 is connected to 2, 197 and 113.
of Procedure 2, this change will propagate to the 4) Output 3 is connected to 45, 117 and 24.
predecessor of the nearest controllable cell i after the 5) Output 4 is connected to 219, 222 and 126.
cell j. At step 6, the change 1/0 will shift to the cell i. At
step 7, the change 1/0 will propagate to the observable The TPG generates the test set which consists of 7
cell k which depends on the cell i. vectors listed in the table below.

At the observable cell j, the change 1/0 can be Expected output

potentially cancelled out only if the variable x i occurs in responses of fi
the ANF of fk in a product-term containing one or more j 0E 1 2 3 4 i {110, 194, 287}
other variables which have values 0. However, this is t1 0 0 0 0 0 0
not possible since the only input variables which are t2 0 1 1 1 1 1
loaded with 0 from the TPG are free variables. t
3 1 1 1 1 1 0
 t4 0 0 1 1 1 0 [1] T. Good and M. Benaissa, ASIC hardware
t5 0 1 0 1 1 0 performance, New Stream Cipher Designs: The
t6 0 1 1 0 1 0 eSTREAM Finalists, LNCS 4986, pp. 267293, 2008.
t7 0 1 1 1 0 0
[2] G. Becker, F. Regazzoni, C. Paar, and W. P.
The Procedure 1 takes 9 clock cycles. Burleson, Stealthy dopant-level hardware Trojans,
Proceedings of Cryptographic Hardware and Embedded
To detect stuck-at-1(0) faults in the internal cells, Systems (CHES2013), LNCS 8086, pp. 197214, 2013.
we first we load the test vector t1(t2) from TPG for d =
69 clock cycles and then upload the responses to TRA [3] T. W. Cusick and P. St nic , Cryptographic Boolean
for 3 clock cycles. The Procedure 2 takes 144 clock functions anda a applications. San Diego, CA, USA:
cycles. Academic Press, 2009.
For Trivium, the expected responses of functions f110,
f194 [4] S. Reddy, Easily testable realizations for logic
functions, IEEE Transactions on Computers, vol. 21,
and f287 to all tests are the same. Therefore, it is no. 11, pp. 11831188, 1972.
sufficient to store only one set of expected responses
(7 bits) and share it [5] R. K. Brayton, C. McMullen, G. Hatchel, and A.
for three functions. Sangiovanni-Vincentelli, Logic Minimization
Algorithms For VLSI Synthesis. Kluwer Academic
Publishers, 1984.
VI. CONCLUSION AND OPEN
[6] M. Abramovici, M. A. Breuer, and A. D. Friedman,
PROBLEMS
Digital Systems Testing and Testable Design. Jon Willey
To summarize, in k + 2d + 11 clock cycles, we can and Sons, New Jersey, 1994.
detect all single stuck-at faults in FSR, TPG and TRA
using the test set of size at most (k + 2) (k + 3) bits [7] D. H. Green, Families of Reed-Muller canonical
and a set of expected output responses of size at most forms, International Journal of Electronics, vol. 70, pp.
(k + 3) m bits, where k + 1 is largest number of 259280, 1991.
variables on which any feedback function of the FSR
depends, m is the number of non-trivial feedback
functions, and d is the largest distance between any [8] C. Canni` re and B. Preneel, Trivium, New Stream
two controllable cells. Cipher Designs:e The eSTREAM Finalists, LNCS 4986,
pp. 244266, 2008.
The presented method has the following advantages
com-pared to the traditional pseudo-random pattern- [9] M. Hell, T. Johansson, A. Maximov, and W. Meier,
based LBIST using scan:
The Grain family of stream ciphers, New Stream
Cipher Designs: The eSTREAM Finalists,LNCS 4986,
1) It causes no performance degradation.
pp. 179190, 2008.
2) It requires a small set of deterministic tests to \
cover 100% of single stuck-at faults. Thus, the [10] S. Golomb, Shift Register Sequences. Aegean Park
test exe-cution time is much shorter (at least Press, 1982.
two orders of magnitude).
3) It has a higher resistance against stuck-at fault [11] E. McCluskey, Built-in self-test techniques, IEEE
type of hardware Trojans. Design and Test of Computers, vol. 2, pp. 2128, 1985.
[12] H.-J. Wunderlich, BIST for systems-on-a-chip,
No single method can protect against all possibleIntegration, the VLSI Journal, vol. 26, no. 1-2, pp. 55
types of adversary attacks. Similarly, the proposed
78, 1998.
method may fail to detect some types of Trojans, e.g.
parametric Trojans [15] which change the parameters of
a circuit rather than its functionality. [13] K. Chakrabarty, Modular testing and built-in self-
test of embedded cores in system-on-chip integrated
ACKNOWLEDGEMENT circuits, in The Embedded Systems Handbook (R.
Zurawski, ed.), pp. 2722727, CRC Press, 2006.
The first author was supported in part by the research
grant No SM12-0005 from the Swedish Foundation for[14] G. Hetherington, T. Fryars, N. Tamarapalli, M.
Strategic Research.
Kassab, A. Hassan, and J. Rajski, Logic BIST for large
industrial designs: real issues and case studies, in
REFERENCES
Proceedings of International Test Conference
(ITC1999), Mr.D.PRAVEEN
was completed his B.Tech at Anurag
[15] M. Tehranipoor and F. Koushanfar, A survey of engineering college, ananthagiri, Nalgonda,
hardware Trojan taxonomy and detection, IEEE DesignTelangana. Currently he is pursuing his
Test of Computers, vol. 27, no. 1, pp. 1025, 2010. M.Tech at Madhira institute of technology and
sciences, Kodad, Nalgonda, Telangana, His
Authors Profile interests are VLSI,Digital signal
processing,micro processor and controllers and
Mr. D. VENKATARAMI REDDY, receivedcommunication systems.
the Master of Technology degree in EMBEDDED
SYSTEMS from the DR.PAULRAJ ENGINEERING
COLLEGE-JNTUH, he received the Bachelor of
Engineering degree from S.A. ENGINEERING
COLLEGE-ANNA UNIVERSITY. He is currently
working as Associate Professor and a Head of the
Department of ECE with Madhira Institute of
Technology And Sciences, kodad. His interest subjects
are Embedded Systems, Microprocessors,
Communication Systems, Digital Electronics and etc.

Miss. T BHAVANI, received the Master of

Technology degree in VLSI DESIGN from the
KODADA INSTITUTE OF TECHNOLOGY AND
SCIENCE FOR WOMEN-JNTUH, she received the
Bachelor of Engineering degree from MINA
INSTITUTE OF ENGINEERING AND
TECHNOLOGY FOR WOMEN -JNTUH. She is
currently working as assistant Professor of ECE with
Madhira Institute of Technology And Sciences, kodad.
Her interest subjects are Digital Signal Processing,
Signals & Systems, Analog communication and etc.